Archive for the ‘Book Review’ Category

Book Review: “Managing the Audit Function” by Michael P. Cangemi and Tommie Singleton

Sant Magí , TGN 2009 per calafellvalo   (96)
Image by calafellvalo via Flickr

Many Internal Audit directors and managers new to their positions sometimes find it difficult to focus on the basics that keep their departments working smoothly.  Especially, when dealing with the challenges of a difficult economy and pressures from Audit Committees adjusting to new regulatory issues.   To make matters worse, audit managers often juggle multiple projects at various locations with limited staffs and little direction or mentoring from “audit subject matter experts” who when needed are difficult to find.   Obtaining timely assistance in these situations can be a challenge.

Subscribing to the hundreds of blogs, Twitter, Facebook, Linkedin and professional networking groups on the web helps, but after a time the inevitable “information overload” occurs and obtaining 120 opinions in 2 hours, each from unknown individuals of varying expertise, and based on assumptions ranging from accurate to insane, can actually hinder decision making.   This is why I recently recommended to a new IT Audit Director experiencing this challenge, that he purchase “Managing the Audit Function”  3rd. Edition, written by Michael P. Cangemi and Tommie Singleton.   This book’s 369 pages are an audit manager’s best friend, direct to the point and authoritative.  The authors, both highly respected and experienced in the audit field, focus on the key elements needed to successfully manage an internal audit department and includes a wide range of forms, policies, guidelines, as well as reporting best practices and organizational / administrative procedures.   In my opinion this is the type of book every internal audit library should have, benefiting both financial and IT audit managers.

Let me review the book in greater detail so you understand why I place so much value in it.

The book is divided into four parts with nine chapters, each thoroughly presented with real life examples focusing on the what, why and when.   The first part provides an excellent background on the  Fundamentals of the Internal Audit Function (for those who have not had the pleasure of reading Brink’s Modern Internal Auditing), covering auditing standards and the responsibilities of a corporate auditor.   The chapters on Internal Controls is precise and covers Risk Assessment and Control Strategies, both of great importance given the current regulatory environment.   This first part of the book also introduces the reader to the “Corporate Audit Department Procedures Manual” which is the tool used by the authors to bring into context each of the many forms and templates presented.   At minimum, this book teaches the new audit director or manager how to prepare a high quality Audit Department Procedures Manual!

The second part of the book focuses on the management and administrative aspects of running a corporate audit department.   Taking nothing for granted, the first chapter in this section starts with how an audit department should be organized, where it should be in the corporate structure, its charter, policies and personnel.    A good amount of focus is given to the responsibilities, duties and roles of internal audit managers and the CAE, as well as their relationships with external auditors and regulators.   An excellent section devoted to audit planning, scoping and implementing is also included (which is later expanded in part three), giving the new manager a quick snapshot of these subjects if they have not obtained it elsewhere.   For me, the best chapter in this part of the book is the chapter on Personnel, Administration, and Recruiting, dealing with performance evaluations and overall staff development.

The third part of the book focuses on Technical Procedures.  This part makes generous use of sample forms and templates, giving the reader a head start on the creation of these, when needed.   The three chapters composing this part of the book are in my opinion, the best coverage of Audit Planning, Audit Performance and Audit Reporting I’ve seen in a book anywhere.   A manager who understands these three chapters is qualified to lead any audit department without worry.   The coverage on Materiality, Workpapers and Reports to Management and Audit Committees is magnificent.   The authors cover the relevant GAAP, SEC and AICPA procedures, pronouncements and guidance related to these important issues with clarity and directness, making the material digestible and easy to follow (the book was written in 2003, so readers need to read up on all relevant updates to be current).

The last part of the book deals with the Long-Term Effectiveness of a corporate audit department, an area many new directors and managers do not focus on very well, because they tend to focus on the “here and now,” but impacts how others see them and measure their success.   Here, the authors cover Corporate Governance issues, Quality Assurance, Continuous Improvement systems and Marketing the Audit Function.   These discussions increase the awareness of the “marketing” process to new audit managers who need to sell themselves, as much as what they do, in order to succeed in the organization.

I will conclude this very positive review by saying that having this book is like having a well rounded and dependable subject matter expert in audit management at you disposal each and every time you need a quick answer.   If you are a new audit director or audit manager, the book will save you countless hours of research time and frustrations.

To purchase “Managing the Internal Audit Function” visit Today’s Audit Journal’s Bookstore

Related articles by Zemanta

Reblog this post [with Zemanta]

Book Review: “The New Data Imperative: Managing Real-Time Risk in Capital Markets” by Dr. Raj Nathan, Irfan Khan, & Sinan Baskan

Nude Sunbathing
Image by STML via Flickr

It seems that since the arrival of the Great Recession everyone has rushed a book out explaining why it happened and how to prevent it in the future.   The feeding frenzy includes folks from all sorts of backgrounds who barely know what Sarbanes-Oxley, a financial statement or a CobiT control is.  For many of these “experts,” the reasons for the recession are clearly not financial or regulatory or linked to Globalization, but deeply ingrained in our dysfunctional and narcissistic society and by nasty “capitalism,” which to many is as deadly a tormentor of society as the Black Plague was 700 years ago.   The damage caused by the recession is viewed as evidence that there is a need to educate the masses in new righteous ways to make money and  legislate new rules over corporate conduct.   The new Robin Hoods of course  are poised to make lots of money by selling new training programs, conducting seminars in Las Vegas and devising new green and “humane” ways to dismantle capitalism.

Although, writen by Sybase excecutives, The New Data Imperative by Dr. Raj Nathan, Irfan Khan and Sinan Baskan is not one of those new opportunistic books I am so disappointed to see in the book stores today.   This book is a breath of fresh air in that it does not overshoot its scope and intent.   Although, discussing the recession and using it as a backdrop, the book in its 115 pages manages to convey the what, how, when and why of the information infrastructure behind today’s globalized financial markets, and why changes to these are needed.  It does this in language that is understandable to non-technical business people (auditors, compliance, legal and financial management), who for the most part  are the ones who need to understand these things, so they can participate in future implementations and improvements to existing  systems.

In the next three to five years Risk Management will see an increase in the complexity of analysis,  the need for faster data acquisition, faster reporting and the integration of more diverse data sources from in-house and  from “the cloud.”   Not to mention a likely increase in Regulatory Compliance  mandates.  For these reasons, the way we approach the infrastructure that supports the  Risk Management function(s) needs to be  re-conceptualized.    “The New Data Imperative” provides a quick snapshot of how to achieve this.  The book looks at the state of current Risk Management “silos,”  their data feeds, analysis cycles, reporting structures and overall data infrastructure, explaining why these current systems fell short during the recent financial crisis and provides us with a well conceptualized picture of how to transition, often without major and costly changes, into the data environments needed for the new Risk Management processes now being proposed by regulators, the Big Four and some of the leading international financial standards organizations.

In addition to its clarity, in my opinion the book serves another important purpose.   That of attempting to educate “legacy” type IT managers who in many organizations today have “stale” skill sets and  are often ignorant of industry best practices  and trends.   As many an experienced IT auditor can confirm,  these managers are ill prepared for the future  and  can not visualize the infrastructure changes needed to implement and maintain the Enterprise Risk Management systems of the post Great Recession era.  Because these folks can not visualize the future, they tend to be serious obstacles to improving performance and strategically positioning IT investments for competitive advantage.    Although, high in authority because of seniority or organizational politics,  these folks have managed to carve out positions where they appear to provide value not by what they do, but by how they stop others from doing.   They are in a way the “Gate Keepers” against innovation and process improvements.    If by some miracle some of  these individuals were to read “The New Data Imperative,” I think great technological achievements would take place in their organizations.

If you are an IT Auditor or a Risk Manager for a financial institution, I highly recommend that you familiarize yourself with this book.   I believe the book will bring you up to date on the latest real time risk management concepts and will open your eyes to some of the technological challenges we will be facing in the next three to five years as Enterprise Risk Management evolves to a more mature level.

Because the book is small and unassuming, I also recommend it as a gift for those “legacy” type IT managers I mentioned earlier.   It may be the most eye opening technology book they’ve read in the last 10 years!

If you’re wondering about the “Nude Sunbathing” sign above…. let me explain why it’s here.   This picture was taken last July one block away from the Jacob Javitz Convention Center in NYC, on the day the National Enterprise Risk Management Club of Buenos Aires, Argentina, was holding its national awards for the most creative use of Twitter in a crisis situation.   When members saw this sign they Twitted all the participants, and half the Jacob Javitz Center emptied as the men rushed to the Hudson River to watch the annoyed sun bathers.   Now the question being debated by serious Harvard sociologists is:  Did Twitter empty out the Jacob Javitz Center, or was it the naked sunbathers and their uncontrollable effects on the hot Latins from Argentina?

Enhanced by Zemanta

Book Review: “Business Continuity Planning Methodology” by Dr. Akhtar Syed & Afsar Sayed

The Pillars of the Earth
Image by pietroizzo via Flickr

I will start this book review by breaking the rules.  That is, I will first tell you the book is fantastic, one of the best I’ve read on any professional subject and that if you are a CBCP and do not own it, you should get it ASAP.   Now, for the review.

I have many BCP books in my library, but few come close to “Business Continuity Planning Methodology” in maintaining harmony with the DRII framework, as well as best practices from ISO, CobiT and NFPA.   It is also the only one that actually takes you step by step through the major domains every Business Continuity professional needs to know.    The book is 300 pages, so it is concise and to the point.  The authors are hands-on experts in the field who do not waste time on academic examples to drive their points.   The book is divided into eight chapters listed below:

  • Introduction
  • Risk Management
  • Business Impact Analysis
  • Business Continuity Strategy Development
  • Business Continuity Plan Development
  • Business Continuity Plan Testing
  • Business Continuity Plan Maintenance
  • BCP Process: Reports and Documents Summary

The sections on Risk Management and Business Impact Analysis should be mandatory reading for everyone in the Risk, Security, Audit and Governance fields.   In my experience, today the folks holding the CBCP certification have the best Risk Management training of all the non-financial professionals involved with Risk Management.   The granularity and scope of a typical BCP Risk Assessment is far superior to most of what I’ve seen coming out of the IT Security and regulatory compliance spaces.    In addition, the BCP type multi- dimensional Risk Assessment is also superior to those generated by most Auditors, who tend to stop at the financial threshold test generated from the year end financial report.   I have long felt that just these two chapters are well worth the price of the entire book.

Business Continuity is a serious subject that is still misunderstood at many organizations.   In addition, BCP was left out of the Sarbanes-Oxley act, which has given many a CIO, CFO and CEO the excuse that “it is not required” therefore few resources get allocated to having dedicated BCP professionals on board and/or having serious continuity plans.    Outside of the southern states (highly affected by hurricane Katrina) we do not see much serious Business Continuity work at major organizations.    I always considered this attitude irresponsible.  The idea that disasters, crisis and business disruptions are things that affect “others” and it is not worth preparing for seems contrary to logic.    Convincing these “C” types about the value of BCP is a tough job, but if you need to do it and you need to develop a clear and concise argument about what needs to be done, what resources will be needed and how long the efforts may take, the “Business Continuity Planning Methodology” may be one of the best references to have at hand.

As Enterprise Risk Management (ERM) gears up as a result of recent market debacles, we will see a greater need to break the silos that now keep IT Security Risk Assessments, Business Continuity Risk Assessments, Financial Risk Assessments, Operational Risk Assessments, Market Risk Assessments and Regulatory Risk Assessments apart.    True ERM calls for a unified view of risks across all departments, regions, functions, resources and markets.     Threats and information about threats need to be managed in a unified manner.  The BCP approach to Risk Assessment takes this approach.

If you are or plan to be involved in an ERM initiative and you lack Risk Assessment experience, your best bet is to learn the Business Continuity approach to Risk Assessment and Business Impact Analysis.  When you understand these, the other types of Risk Assessments will be easy to tackle.   The Business Continuity Planning Methodology book is a tool that will get you started in understanding this process.  Of course, it is a great reference for all the other topics it covers as well.

Business Continuity Planning Methodology can be purchased from the Today’s Audit Journal book store, by clicking the link below:

Enhanced by Zemanta

Book Review: “Excel for Auditors” by Bill Jelen & Dwayne K. Dowell

Calle Fuencarral, Madrid, España
Image by via Flickr

There are still a good number of Auditors in the field who are technologically challenged.    These folks may even be unfamiliar with the ACL product and cringe at the idea of having to analyze AP or AR tables when provided in database or spreadsheet format.   I have met a good number of these people and found that in many cases their “analytics phobia” is due to poor or non-existing training in basic Auditor analytical skills.   However, these folks almost all have some basic to intermediate level Excel spreadsheet capabilities which can be used as the basis for training them in more sophisticated analytical methods.   The Excel for Auditors book, from Holy Macro! Books, provides a perfect tool to teach new auditors and technologically challenged ones, some key high value Excel functions.

Using the book as a training outline, accompanied by a PowerPoint presentation, I developed an intermediate level training class of two two hour sessions, which successfully helped many new auditors break their fears of spreadsheet analytics and taught a few old dogs new tricks.

Ofcourse, most of the Excel functions presented in the book are found in ACL’s integrated environment, and those who have ACL should instead focus on using that product, but for those who do not have ACL, the best option is to use a spreadsheet like Excel (and develop good analytical skills in it).

Excel for Auditors is 212 pages and contains the following chapters:

  • Copying a Worksheet
  • Showing Numbers in Thousands
  • Quickly Seeing Sum or Average
  • Adding Subtotals
  • Quickly Filling a Series
  • Using a Fixed Value in your Formula
  • Replacing a THousand Formulas with One
  • Highlighting Outliers
  • Turning your Data on its Side with Transpose
  • Joining Text
  • Looking up Data
  • Sorting your Data
  • Dealing with Dates
  • Analyzing Data with Pivot Tables
  • Analyzing Results by Date
  • Creating a Random Sample from a Datasheet
  • Finding and Analyzing Records Using AutoFilter
  • Formula Auditing
  • Matching Two Lists
  • Finding Duplicates or Unique Values
  • Finding Missing Dates in Data
  • Automating Excel with VBA

I recommend the book as a training tool and as a reference to keep in an audit library.  If used properly, it can help the technologically challenged auditor to overcome some of his/her fears of Excel analytics and that by itself is an extremely valuable thing.

Excel for Auditors is not intended to be a power user’s book.   If you are a user who enjoys writing Visual Basic scripts well past midnight, if you’re a Nerd or a tinkerer/techie, then this book is not for you.   Excel power users are usually insulted by books under 300 pages and do not consider an application “well covered” unless the book is at least 974 pages long!  Most auditors I know are not Nerds, tinkerers or techies and simply need a quick and to the point aid on how to achieve results, and this book does that well.

The book can be purchased from the Today’s Audit Journal bookstore for under $20.00.

Enhanced by Zemanta

Book Review: “Auditing the Risk Management Process” by K.H. Spencer Pickett

TALL Performers
Image by eschipul via Flickr

I started reading this book a couple of days ago and I have not finished reading it. But, a friend asked me to write a short review for his blog and I decided to post it here as well.

1) For someone who has limited experience with the Risk Management process, and auditing Risk Management processes, the book provides a well structured starting point. For those who have experience in Risk Management it serves as a reference to a well structured methodology, with a COSO ERM framework.

2) The book is well written and logically structured with 8 chapters. Each chapter builds on the previous and finally leads to audit best practice recommendations, as well as “Poor Practice Models” to avoid. The author uses case studies throughout the book to make his points.

All the major operational and IT ERM processes are covered (but not the financial ones) and I think the book is excellent for both auditors and those who will have hands on involvement with  ERM.  Risk Management is in a process of transition, and new rules and regulations are coming down the road. This book can give new or mid level practitioners a good picture of the methodologies and frameworks used in the field today, and likely to be expanded upon in the near future.

Critique:  The book is not focused on Financial Risk Management, and does not cover the important domains in that type of RA.   Persons interested in understanding Financial Risk Assessment are advised to look at books like “The Essentials of Risk Management,” and to visit the PRMIA website for additional resources.

I recommend the book to all auditors, specially if they expect to be tasked with new Risk Assessment auditing duties in the near future.

The photo above is of an auditor performing a Risk Assessment at one of the top credit Risk Agencies in New York City.

Enhanced by Zemanta